Let's Encrypt is unable to validate this domain name

Hi everyone, I have a Synology DS418play which has had a Let's Encrypt certificate for a couple of years and has never had an issue renewing automatically until now, which I only noticed when my certificate expired. If I try to renew the certificate manually, I get the error "Let's Encrypt is unable to validate this domain name". I have ensured that ports 80 and 443 are open, and I also saw this thread (Failed to connect to Let's Encrypt. Please make sure the domain name is valid) and followed the advice there, to no avail. I was not able to check the .well-known acme challenge file because no such file seems to exist on my NAS. My DNS configuration does not have ipv6 configured (no AAAA records). The only thing I noticed that was different was that when I check my DNS records using a third party service, it also has *.happylittlebirds.com, even though I have not configured a wildcard domain like that with my domain registrar.

My domain is: happylittlebirds.com

I ran this command: I used the built in features of Synology DSM 7.0.

It produced this output: "Let's Encrypt is unable to validate this domain name. Please make sure your DiskStation and router have port 80 open to Let's Encrypt domain validation from the Internet. All the other communications with Let's Encrypt go over HTTPS to keep your DiskStation secure.

My web server is (include version): The version DSM 7.0 includes.

The operating system my web server runs on is (include version): DSM 7.0.1-42214

My hosting provider, if applicable, is: Self-hosted. Google Domains, if that's what it's asking for.

I can login to a root shell on my machine (yes or no, or I don't know): I don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): nil

Sorry, adding a reply to include the domain configuration I have with Google Domains:

It doesn't seem that port 80 is accessible on your IP, connections just time out:

Can you double check that the port forwarding is set up, and that your ISP is not blocking port 80 for your internet service with them?

Hi there, thanks for your response!

I have verified that port forwarding is enabled for ports 80 and 443:

I have also verified that I am able to access my website on a separate device on a different connection via the web browser, so my ISP is not blocking port 80 or 443 for me.

your page still doesn't load from my home

Is it possible that your ISP allows connections on port 80 from within Singapore, but not from outside?

There is some evidence that this is the case:

  1. A web page test from EC2 Singapore succeeds: WebPageTest Screenshots - Singapore - EC2...appylittlebirds.com - 09/27/21 04:22:05
  2. The same test from another location (EC2 USA) experiences a connection timeout (same as Let's Encrypt): WebPageTest Screenshots - California : happylittlebirds.com - 09/27/21 04:25:28
1 Like

Thank you and orangepizza so much for your help. I've figured it out - I set a region block on my NAS a while back to block incoming connections from outside Singapore as a security measure, and it completely slipped my mind that it would affect Let's Encrypt as well. I've fixed it by allowing connections to ports 80 and 443 from all around the world in the meantime. Seems like there is no way to only allow Let's Encrypt connections through, so this will do for now. The problem was solely self-caused, so I appreciate all of your time and effort in helping me out. Thanks!

3 Likes

LE only needs port 80, you can still geofence port 443 if you like.

Just of note, the DSM 7.0 firewall changes seem to behave differently to the 6.2 days. In the past, I would simply "disable" my DENY rule for the whole world, and then run the renew. This didn't work "this time". But as it turned out, I had to also disable/enable the firewall rule to actually make it work. (And my cert renewed fine). Posted this just in case someone else comes across the same issue.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.